Data & Privacy Policy

Last updated: March 5, 2026

1. Who We Are

Resident Scheduler is a web application developed by Marco Law for managing medical residency training programs — including rotation scheduling, call schedule generation, academic planning, and resident request management. The application is available at resident-scheduler.marcotklaw.com.

2. Data We Collect

We collect only the data necessary to provide the Resident Scheduler service:

• Account information: Name, email address, and authentication credentials (managed by Firebase Authentication). We do not store passwords directly — authentication is handled by Google Firebase.
• Program data: Program names, hospital/site information, rotation schedules, academic calendar events, and call scheduling configurations created by program administrators.
• Resident data: Resident names, email addresses, phone numbers, PGY level, student/employee numbers, base hospital assignments, and rotation schedules entered by program administrators.
• Requests and preferences: Vacation, elective, conference, lieu day, call-on, and no-call requests submitted by residents, along with call preferences.
• Generated schedules: Call schedules produced by the scheduling algorithm, including assignments, statistics, and workflow history.

3. How We Use Your Data

Your data is used solely to operate the Resident Scheduler application:

• To authenticate users and manage role-based access (sudo, admin, resident)
• To store and display program settings, rotation schedules, and academic calendars
• To process resident requests and facilitate admin review workflows
• To generate and store call schedules using the scheduling algorithm
• To send transactional email notifications about request submissions and status changes

We do not use your data for advertising, profiling, marketing, or any purpose other than providing the Resident Scheduler service.

4. Where Your Data Is Stored

• Database: All application data is stored in Google Cloud Firestore. Our Firebase project infrastructure is located in Canada (northamerica-northeast1).
• Authentication: User authentication is managed by Firebase Authentication (Google Cloud infrastructure).
• Hosting: The application is hosted on Firebase Hosting (Google Cloud).
• Email: Transactional email notifications are sent via Resend (resend.com). Email content includes request details and recipient names/addresses. Resend processes this data solely for delivery; refer to Resend's privacy policy for their data handling practices.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. Data is shared only with:

• Google Cloud / Firebase: As our infrastructure provider for authentication, database, hosting, and cloud functions.
• Resend: As our email delivery provider, limited to transactional notification delivery.
• Your program administrators: Admins within your residency program can view resident data, requests, and schedules as part of normal program administration.

6. Email Notifications

The application sends transactional email notifications in the following cases:

• When a resident submits a new request (notification sent to program administrators)
• When an administrator approves or denies a request (notification sent to the resident)

Important: Email notifications are only sent to registered users — users who have created an account and signed in at least once. Pending/invited users who have not yet registered do not receive any emails.

7. Cookies & Tracking

Resident Scheduler does not use:

• Third-party analytics (no Google Analytics, no tracking pixels)
• Advertising cookies or tracking cookies
• User behaviour tracking or profiling

We use localStorage in your browser solely to store your theme preference (light/dark mode). Firebase Authentication uses standard session management for login state.

8. Data Retention

Your data is retained for as long as your account exists and your residency program uses the platform. Program administrators can delete resident records and request data. Sudo administrators can remove user accounts and program data entirely.

9. Data Security

• All data is transmitted over HTTPS (TLS encryption in transit).
• Authentication is handled by Firebase Auth with industry-standard security practices.
• Access to data is controlled by role-based permissions (sudo, admin, resident).
• Cloud Functions use secret management for API keys (Firebase Secrets).

10. Your Rights

You have the right to:

• Access your personal data stored in the application
• Correct inaccurate information (contact your program administrator or the app developer)
• Request deletion of your account and associated data
• Withdraw from the platform at any time by contacting your program administrator

11. Children's Privacy

Resident Scheduler is designed for use by medical residency programs and their participants. It is not intended for use by individuals under the age of 18.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. Continued use of the application after changes constitutes acceptance of the updated policy.

13. Contact